Everyone in healthcare knows that the next round of HIPAA audits is coming. Covered entities and business associates have long been advised to review and update their HIPAA security risk analyses, have business associate agreements close at hand, and review and update HIPAA policies and procedures. At a recent conference, representatives from the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) provided more insight into the status of the HIPAA audits. In addition, that conference reinforced the need for covered entities, business associates, and all others in the healthcare industry to be prepared for increasing enforcement activity by the Federal Trade Commission (“FTC”).
OCR Update on HIPAA audits
On September 2-3, 2015, OCR and the National Institute of Standards and Technology of the US Department of Commerce (“NIST”) co-hosted the eighth annual Safeguarding Health Information: Building Assurance Through HIPAA Security conference in Washington, D.C. (the “HIPAA Conference”). Jocelyn Samuels, the Director of OCR, announced that, despite delays, OCR is close to launching the next phase of its HIPAA audit program. She did not provide specific dates for the commencement of the audits but did say that the next phase likely will focus on remote “desk audits” rather than on-site audits. These audits will include both covered entities and business associates, and OCR is expected to release an updated audit protocol closer to the start of the audits.1 OCR has engaged a third-party contractor, FCi Federal, to support OCR’s HIPAA audit activities.2
Summary of FTC Enforcement in Healthcare Privacy and Security
Section 5 of the FTC Act prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’3 The FTC takes the position that this language grants it broad authority to regulate the privacy and security practices of any business, even a business that is already regulated by HIPAA. In fact, the FTC has stated specifically that nothing in HIPAA or in rules promulgated by HHS negates the FTC’s authority to enforce the FTC Act.4
The FTC and OCR have been known to work together to investigate security practices, as evidenced by their parallel investigations into both CVS Caremark and RiteAid in 2009 and 2010. In the end, both pharmacy chains made payments to settle allegations of HIPAA privacy rule violations, entered into resolution agreements with HHS regarding corrective action, and also entered into consent decrees with the FTC.5
Recently, we have seen the FTC act on its own in the healthcare space as well. Following an FTC investigation into the alleged failure to adequately safeguard laptops, Accretive Health, a hospital billing company, entered into a 20-year consent order with the FTC.6 In addition, the FTC alleged that California-based GMR Transcription Services, Inc. (“GMR”) failed to ensure adequate safeguards for personal information and failed to require its contractors to do so. The FTC also alleged that GMR’s privacy policies and statements misrepresented its security practices. Like Accretive Health, GMR entered into a 20-year consent order with the FTC.7
Despite the lack of detail from the FTC regarding “unfair or deceptive practices,” during the HIPAA Conference, Cora Tung Han, Senior Attorney with the FTC’s Division of Privacy and Identity Protection, expressed her view that the standards for security applied by the FTC and OCR are generally consistent. Ms. Han also encouraged attendees to review the FTC guide “Start with Security: A Guide for Business” (the “FTC Security Guide”).8
Reinforcing HIPAA Compliance in light of FTC Enforcement
With both HIPAA requirements and the FTC’s recent enforcement actions in mind, here are five steps that can help any entity in healthcare improve its privacy and security practices:
- Conduct and update a risk analysis
OCR has been saying this for years, but it is worth repeating: conduct and document a risk analysis as required by the HIPAA security rule.9 For those covered entities and business associates that still have not conducted an initial risk analysis or have not recently updated a risk analysis, OCR has posted a number of helpful documents on its website that can guide covered entities and business associates through the process. In addition, OCR collaborated with the Office of the National Coordinator and the HHS Office of the General Counsel to develop a downloadable security risk assessment tool that can be accessed from OCR’s website.
- For purposes of HIPAA security, “addressable” does not mean “optional”
The standards and implementation specifications of the HIPAA security rule are either “required” or “addressable.” All too often, though, covered entities and business associates misinterpret “addressable” as “optional,” and OCR will not look kindly on security policies that do not adequately document the reasons for failing to implement an “addressable” standard or specification. A covered entity or business associate should ensure that its HIPAA security policies address each and every standard and specification set forth in the HIPAA security rule.
- Control access to Protected Health Information (“PHI”)
Security strategies focusing only on external threats do not suffice, as insider threats pose a significant risk to the privacy and security of PHI. OCR has emphasized the importance of managing workforce access to PHI and has referred over 500 insider threat cases to the Department of Justice. The FTC also emphasizes the need for internal restrictions to data, and the FTC Security Guide specifically states that controls should be in place to make sure that employees have access to data only on a “need to know” basis.
- Conduct diligence on your business associates and service providers
Both OCR and the FTC have emphasized the need to pay more attention to the security practices of those individuals and entities to whom you provide PHI or other sensitive data. For HIPAA purposes, it is important to know who your business associates are and to make sure that business associate agreements are in place when required. In addition, asking questions about security practices, including security requirements in contracts, and engaging in ongoing oversight are all advisable. As noted in the FTC Security Guide, security among business associates and services providers cannot be handled on a “take our word for it” basis.
- Deal with devices
If there was one theme emerging from the HIPAA Conference, it was encryption. Nearly every speaker noted the need for encryption in the healthcare industry. At this point, we should not expect OCR or the FTC to have any tolerance for unencrypted laptops or mobile devices. Also, under HIPAA, a risk analysis must identify where electronic PHI is stored, received, maintained, or transmitted, and encryption should be addressed each time. Don’t forget devices and technologies like copiers, backup media, medical devices, and tablets. If a decision is made not to encrypt a specific device or technology storing, receiving, maintaining, or transmitting electronic PHI, the reasons for that decision must be documented.
While these five steps alone will not ensure compliance with HIPAA or the FTC Act, these suggestions will go a long way toward improving the security practices of any covered entity, business associate, or other business operating in the healthcare industry.
For more information on these issues, contact Jill M. Girardeau.
Womble Carlyle client alerts are intended to provide general information about significant legal developments and should not be construed as legal advice regarding any specific facts and circumstances, nor should they be construed as advertisements for legal services.
IRS CIRCULAR 230 NOTICE: To ensure compliance with requirements imposed by the IRS, we inform you that any US tax advice contained in this communication (or in any attachment) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in this communication (or in any attachment).
1 As of the date this alert was finalized, the audit protocol available on the OCR website had not yet been updated. The audit protocol can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.
2 The FCi Federal press release can be found here: http://fcifederal.com/press-release/fci-federal-expands-us-department-health-and-human-services.
3 15 U.S.C.A. § 45.
4 See the FTC order dated January 16, 2014 in the LabMD matter, which can be found here: https://www.ftc.gov/sites/default/files/documents/cases/140117labmdorder.pdf.
5 See the OCR press releases related to CVS and RiteAid found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html and http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteaidresagr.html.
6 See the FTC press release regarding Accretive Health found here: https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-consent-settling-charges-accretive-health.
7 See the FTC press release regarding GMR found here: https://www.ftc.gov/news-events/press-releases/2014/01/provider-medical-transcript-services-settles-ftc-charges-it.
8 A copy of the FTC’s guidance “Start with Security: A Guide for Business” can be found here: https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business.
9 See 45 C.F.R. § 164.308(a)(1). Note that a security risk analysis is also required for purposes of the Medicare and Medicaid EHR incentive programs.